A dynamic risk assessment model for network systems based on attack and defense game theory was proposed to address the problem that the existing models are overly simplified in dealing with the complex dependencies and potential threat paths in the open source software supply chain,and it is difficult to cope with the problem of open source risks in network systems under the background of the big data era. Firstly,system topology information,open source component information,and vulnerability information were integrated to build a knowledge graph of open source risk propagation; Secondly,a threat path generation algorithm was designed based on knowledge graphs to acquire threat paths,and the potential risks of each threat path were evaluated to identify the most likely threat path; Finally,the idea of stochastic game theory was introduced to establish NSRAM-RG,a risk assessment model of network system based on risk game,to analyze the game behaviors of the attacker and defender regarding the most likely threat path. The knowledge graph was dynamically updated,and the risk of the network system was quantitatively evaluated according to the utility function. The experimental results show that fitting degree of the assessment results to the true values is better than the HMM and AHP methods,which can more accurately respond to the risk changes of the system. The proposed model can effectively quantify and assess the open source risk in the system,which provides a new idea for the security management of the open source software supply chain.